Actually scanning the initial app but not the updates is pretty idiotic. Why do the scanning at all if you can easily circumvent it.

Still the reason so many downloaded it seems to be that not much bad was happening. SOME ask the user to install a malicious product. That brings you to the good area it is pretty easy to block non trustworthy apps (amazon, Facebook, google) from having too many access rights and when apps start to do bad things they are removed.

Or in other words you always have a balance of risk and control. Apple has a bit less risk but much more control over you. Google seems to have a very small amount of extra risk but you are much more flexible. Every user has a choice here.

Time for Google to scrutinize not just the initial release, but every update as well.

Yeah, just copy Apple on that too.

Did Apple not copy the concept of a curated catalog of 3rd party application/program from someone else? I seem to recall my first dumbphone (Motorola) came with pre-installed game demos as well as the ability to access a catalog of more games. Sometime later, Palm also hosted a similar catalog with their PDAs. And if you want to go back before cell phones, my Compaq computer with Windows 95 also had pre-installed game demos with an internet accessible catalog of more 3rd party games.

Edit: Heck, one could go far back to the Sears/Macy's mail catalog of curated 3rd party merchandise in the mid-1800s.

Looking at the list of the 32 apps, a little over half were Russian and the rest were english. I personally dont use russian apps as i don't read or speak that language. The english apps were all games and one wallpaper, many of the russian ones were also.

I guess the lesson here is don't install B list or knock off games...

Although I would prefer to have more granular control over specific application permissions and network access built into the OS.

Could somebody that uses Android tell me how AlphaSMS, the "trojan that racks up charges by sending text messages to pricey services", works? On iOS, an app cannot send an email, text, or iMessage without each and every one of them being authorized by the user. Is Android not like that? If not, what benefits does allowing apps to SMS without the user's consent provide, and do they outweigh the obvious problems?

Or in other words you always have a balance of risk and control. Apple has a bit less risk but much more control over you. Google seems to have a very small amount of extra risk but you are much more flexible. Every user has a choice here.

Google's flexibility also ensures that if they put out a new version of Android with security updates next week, a very small percentage of users will be able to upgrade their phones. It's a good thing that we do not keep much personal information in our phones...

Google's flexibility also ensures that if they put out a new version of Android with security updates next week, a very small percentage of users will be able to upgrade their phones. It's a good thing that we do not keep much personal information in our phones...

Most phones are perfectly capable of taking new android versions. It's the carriers that refuse to push out new OTA updates. In fact I recently read (here on ars too I think) that there's a lawsuit going on over that very thing.

Could somebody that uses Android tell me how AlphaSMS, the "trojan that racks up charges by sending text messages to pricey services", works? On iOS, an app cannot send an email, text, or iMessage without each and every one of them being authorized by the user. Is Android not like that? If not, what benefits does allowing apps to SMS without the user's consent provide, and do they outweigh the obvious problems?

Whenever you install an app, the system prompts you to give it permissions for certain sets of functionality (connect to the internet, read your contacts, send SMS, make calls, etc). After that, it's up to the app itself. If you had to authorize e.g. every text you sent out, third-party SMS, phone, email, etc. apps would be too cumbersome to use. Think Vista's UAC, except way more frequent.

As an infrequent app store user, how do I tell the difference between the real app and the knock off? The amount of reviews? Easily faked. Awesome logo? Stolen. Website looks good? Copied. Lively forums on their website? As trustworthy as "anti-virus reviews".

Could somebody that uses Android tell me how AlphaSMS, the "trojan that racks up charges by sending text messages to pricey services", works? On iOS, an app cannot send an email, text, or iMessage without each and every one of them being authorized by the user. Is Android not like that? If not, what benefits does allowing apps to SMS without the user's consent provide, and do they outweigh the obvious problems?

The benefit would be the existence of third party messaging applications. If I do not like the default messaging application, I can seamlessly switch to a rival one which will be capable of having full functionality of the stock application and be able to effectively replace it to the end user. The permission to allow applications to send text messages is provided by the user at the time of installation (at which point the user is notified and warned of potential consequences).

With Google Play, in cases where permissions change following an application update, the application cannot be auto-updated and the user must once again provide approval for all permissions before the update is installed. In theory at least, wallpaper applications requesting permissions to SMS should throw up red flags to the end user. However, in cases such as AlphaSMS, the application has legitimate reasons to access such a permission. A legitimate example SMS application would be this. View the permissions tab to see what permissions the user is consenting to by installing the application.

One thing to note though is that on Android, applications do not need permission at installation to share data with other browser/e-mail/SMS/etc. applications (provided user interaction/approval at the time of sharing). So, for example, if I wanted my application to send data via SMS/MMS, I could give the user the option to "share" the content with the installed SMS/MMS application of their choice.

Google's flexibility also ensures that if they put out a new version of Android with security updates next week, a very small percentage of users will be able to upgrade their phones. It's a good thing that we do not keep much personal information in our phones...

Most phones are perfectly capable of taking new android versions. It's the carriers that refuse to push out new OTA updates. In fact I recently read (here on ars too I think) that there's a lawsuit going on over that very thing.

It would also rely upon OEMs ensuring compatibility with and tailoring the update for their devices.

Or in other words you always have a balance of risk and control. Apple has a bit less risk but much more control over you. Google seems to have a very small amount of extra risk but you are much more flexible. Every user has a choice here.

Google's flexibility also ensures that if they put out a new version of Android with security updates next week, a very small percentage of users will be able to upgrade their phones. It's a good thing that we do not keep much personal information in our phones...

Just not true. The main security patches will be in the Google play store. Mostly server side as well. That is the main reason the android update horror story is just not that terrible. You can upgrade the apps. Between Google play, chrome etc. Most security related stuff is being taken care off. The same is true regarding functionality. Operating systems are canvases.

And I am not saying that the update restrictions are not annoying but its not as bad as people make it out to be.

Actually scanning the initial app but not the updates is pretty idiotic. Why do the scanning at all if you can easily circumvent it.

Still the reason so many downloaded it seems to be that not much bad was happening. SOME ask the user to install a malicious product. That brings you to the good area it is pretty easy to block non trustworthy apps (amazon, Facebook, google) from having too many access rights and when apps start to do bad things they are removed.

Or in other words you always have a balance of risk and control. Apple has a bit less risk but much more control over you. Google seems to have a very small amount of extra risk but you are much more flexible. Every user has a choice here.

Are you all seriously going to continue a discussion about a phantom threat without a single report about any end user being affected?

Let me suggest some possible confirmations of a real actual threat:

1. Users report in online forums about experiencing problems2. Your friends, family, or you yourself, suffer from the issue3. Wireless carriers issue warnings about undesirable use of their service4. The OS provider reports statistics of actual abuse

The vulnerability was not caused by the app itself or even an update, but a malicious ad network. So the original app asked for all the permissions, and then later on turned on the malicious ad network that then captured the information.

This is interesting because this type of scenario (to some degree) could seemingly happen on other platforms as well.

Quite frankly, I like the design of iOS much better. You can specifically turn off access to location services, contacts, calendar, photos and bluetooth sharing on a per app basis. The first time an app need access to your contacts, you are prompted to give access. This way you know that you are giving access to a specific part of your phone to a specific app.

Contrast this to Android, where you are shown a whole list of permission that you are going to grant to an app when you install it, it quickly becomes like the EULA that no one reads when they install Windows programs. Plus I can't disable certain permission to an app even though I want to install the app. For example, my Facebook on iOS cannot access my location because I refuse to give it permission. Period. On Android, the moment you launch the app, Facebook grabs your location immediately. There is no way to stop this other than not using the app.

I think it is pretty sad that Android users won't accept that the OS not being regularly kept up to date for security vulnerabilities is a really bad thing about the platform...

I generally couldn't care less about what phone people use, but the lack of security updates for all Android devices is a massive weakness. It could easily be solved by supplying security updates for old versions as Microsoft does.

Or in other words you always have a balance of risk and control. Apple has a bit less risk but much more control over you. Google seems to have a very small amount of extra risk but you are much more flexible.

A bit less risk? Android hosts 96% of all malware. And what is this "control" you speak of? You can jailbreak your iPhone as easily as you can root your Android device.

Google is interested in getting devices in peoples' hands. Once there, they really don't give a shit. That sentiment trickles down from their leverage in updating versions of Android against manufacturers and carriers to the curation of their own app store.

Unless the flexibility you're speaking of consists of being able to wrap both hands around your ankles periodically, I don't know what you're talking about.

Actually scanning the initial app but not the updates is pretty idiotic. Why do the scanning at all if you can easily circumvent it.

Still the reason so many downloaded it seems to be that not much bad was happening. SOME ask the user to install a malicious product. That brings you to the good area it is pretty easy to block non trustworthy apps (amazon, Facebook, google) from having too many access rights and when apps start to do bad things they are removed.

Or in other words you always have a balance of risk and control. Apple has a bit less risk but much more control over you. Google seems to have a very small amount of extra risk but you are much more flexible. Every user has a choice here.

"Small risk"? Seems like a persistent and pervasive problem to me.

And luckily perception is useless. If you look at the right news yetis seem to be a persistent and pervasive problem to the Midwest.. How about some real numbers on the number android users who had some financial loss through it.

I would be willing to bet your chances to get mugged on the street are far higher. Its like PC applications but with robust sandboxing and with a central authority who pulls apps the moment someone is complaining. So definitely far better than pc software and we survived those wild west days as well.

Time for Google to scrutinize not just the initial release, but every update as well.

Yeah, just copy Apple on that too.

Did Apple not copy the concept of a curated catalog of 3rd party application/program from someone else?

My earlier phones had a tiny library of available apps. I presume that Nokia, Moto and others all had very restrictive rules of who could put apps into the stores, and IIRC there were hundreds or maybe thousands of dollars of developer registration fees.

Methinks Apple replaced totally trust-based systems with automated scans of API calls, etc., to monitor prohibited activity, e.g., access to ID info. Which by this account, Google has not elected to do.

I don't know Google's rules/frameworks but Apple warned developers not to use the UDID back in 2011 and it's my impression that the more important data leaked in this story, the IMEI, is not even accessible thru Apple APIs.

So did earlier systems scan hundreds of thousands of apps, and each update, for prohibited/dangerous/illegal/deceptive activity? Somehow, I think not; maybe Microsoft set up a similar functionality but if there's history of that before 2008, it would sure be interesting to hear about it.

Could somebody that uses Android tell me how AlphaSMS, the "trojan that racks up charges by sending text messages to pricey services", works? On iOS, an app cannot send an email, text, or iMessage without each and every one of them being authorized by the user. Is Android not like that? If not, what benefits does allowing apps to SMS without the user's consent provide, and do they outweigh the obvious problems?

Whenever you install an app, the system prompts you to give it permissions for certain sets of functionality (connect to the internet, read your contacts, send SMS, make calls, etc). After that, it's up to the app itself. If you had to authorize e.g. every text you sent out, third-party SMS, phone, email, etc. apps would be too cumbersome to use. Think Vista's UAC, except way more frequent.

Actually, it isn't cumbersome at all. By 'authorize' what I meant is that the user has to actually click 'send' for each message on iOS (via the interface presented by the app via the official API). What I don't get is the benefit of allowing an app to send an infinite number of SMS messages in the background without even informing the user, as seems to be the case here (if I understand it correctly)?

P.S. I get that the approach of iOS probably limits some great apps as you cannot replace the included Messages app since, as far as I know, there is no way for 3rd party iOS apps to handle the receipt of incoming SMS messages (or iMessages). Also, I don't think 3rd party apps can customize the look of the MFMessageComposeViewController API. So I get that a more liberal API might be good. What I don't get is the benefit of allowing an app to initiate SMS messages without user input and then send them without user input and without informing the user.

Actually scanning the initial app but not the updates is pretty idiotic. Why do the scanning at all if you can easily circumvent it.

Still the reason so many downloaded it seems to be that not much bad was happening. SOME ask the user to install a malicious product. That brings you to the good area it is pretty easy to block non trustworthy apps (amazon, Facebook, google) from having too many access rights and when apps start to do bad things they are removed.

Or in other words you always have a balance of risk and control. Apple has a bit less risk but much more control over you. Google seems to have a very small amount of extra risk but you are much more flexible. Every user has a choice here.

As an infrequent app store user, how do I tell the difference between the real app and the knock off? The amount of reviews? Easily faked. Awesome logo? Stolen. Website looks good? Copied. Lively forums on their website? As trustworthy as "anti-virus reviews".

Time for Google to scrutinize not just the initial release, but every update as well.

Yeah, just copy Apple on that too.

Did Apple not copy the concept of a curated catalog of 3rd party application/program from someone else?

My earlier phones had a tiny library of available apps. I presume that Nokia, Moto and others all had very restrictive rules of who could put apps into the stores, and IIRC there were hundreds or maybe thousands of dollars of developer registration fees.

Methinks Apple replaced totally trust-based systems with automated scans of API calls, etc., to monitor prohibited activity, e.g., access to ID info. Which by this account, Google has not elected to do.

I don't know Google's rules/frameworks but Apple warned developers not to use the UDID back in 2011 and it's my impression that the more important data leaked in this story, the IMEI, is not even accessible thru Apple APIs.

So did earlier systems scan hundreds of thousands of apps, and each update, for prohibited/dangerous/illegal/deceptive activity? Somehow, I think not; maybe Microsoft set up a similar functionality but if there's history of that before 2008, it would sure be interesting to hear about it.

I think you're twisting the intent and content of my original post, but I'll attempt to address your new direction. In my opinion. a lot of the adjectives you added on are frivolous. Your main question basically boils down to: "So did earlier [automated] systems scan for [specific types of] activity?" I added automated because I assume you desired non-human interactivity, although there could be something said about the original assembly line... Frankly, I think the question answers itself...

Of course, the extent of checks one performs on new inputs can differ from system to system with their own pros/cons. However, that's the beauty of engineering a particular design and its continuous evolution. As newer advances in technology arise, one can revisit, modify, and/or merge old techniques and ideas.

Actually scanning the initial app but not the updates is pretty idiotic. Why do the scanning at all if you can easily circumvent it.

Still the reason so many downloaded it seems to be that not much bad was happening. SOME ask the user to install a malicious product. That brings you to the good area it is pretty easy to block non trustworthy apps (amazon, Facebook, google) from having too many access rights and when apps start to do bad things they are removed.

Or in other words you always have a balance of risk and control. Apple has a bit less risk but much more control over you. Google seems to have a very small amount of extra risk but you are much more flexible. Every user has a choice here.

Huh? There is a HUGE risk with Google. Android = Malware

Well with iOS there is the risk of being ripped to shreds by hungry sharks.

Personally I'd rather take my chances with a little malware than a hungry shark.

Actually scanning the initial app but not the updates is pretty idiotic. Why do the scanning at all if you can easily circumvent it.

Still the reason so many downloaded it seems to be that not much bad was happening. SOME ask the user to install a malicious product. That brings you to the good area it is pretty easy to block non trustworthy apps (amazon, Facebook, google) from having too many access rights and when apps start to do bad things they are removed.

Or in other words you always have a balance of risk and control. Apple has a bit less risk but much more control over you. Google seems to have a very small amount of extra risk but you are much more flexible. Every user has a choice here.

Huh? There is a HUGE risk with Google. Android = Malware

Well with iOS there is the risk of being ripped to shreds by hungry sharks.

Personally I'd rather take my chances with a little malware than a hungry shark.

What I don't get is the benefit of allowing an app to initiate SMS messages without user input and then send them without user input and without informing the user.

I'm sure there are other examples, but I have friends that have installed 'auto responder' SMS apps. In one, it can detect when you're driving, and if you get an SMS it won't play a notification, and will respond to the person informing them that you're driving and that you will respond when you're available (or whatever else you want it to say).

Not something I use, but not an app that I think should be blocked either.

Time for Google to scrutinize not just the initial release, but every update as well.

True, they should have been doing that in the first place. I'm sure that Apple does that every single time an App is updated.

Google does look at updates, this has nothing to do with this process but the abilities for an app to send data to an ad network. The ad network was the point of failure as it was replaced with a malicious network and the app send said data to this network. This brings a whole new check in place, and in reality could also have consequences for other app stores that allow 3rd party ad networks in applications.

As an infrequent app store user, how do I tell the difference between the real app and the knock off? The amount of reviews? Easily faked. Awesome logo? Stolen. Website looks good? Copied. Lively forums on their website? As trustworthy as "anti-virus reviews".

One is called "Angry Birds" and the other, "Stupid Birds." I think even the most inept could figure that out.

As an infrequent app store user, how do I tell the difference between the real app and the knock off? The amount of reviews? Easily faked. Awesome logo? Stolen. Website looks good? Copied. Lively forums on their website? As trustworthy as "anti-virus reviews".

So if you end up buying an app from an unscrupulous developer, they already have your personal information. Yay!

Not sure why Ars overlooked that revelation while focusing on trivial issues like how long Siri stores anonymous data...

It's been that way since day one of the Google play store. It didn't just start happening.

But so what? I give out my postal address, name and email address to everyone I buy stuff from.

And for those who think that is a big deal, consider this: I just moved to a different end of the US. As soon as I got my drivers license, two local groceries, a pest control company, Culligan, two local tire shops, all my creditors knew my new address, within a month. They all sent coupons to me welcoming me to the city, and in some cases, actually sent it in my dad's name, even though he never moved.